How NSA is Hacking the Whole World

Edward Snowden, a 29 year former employee of Booz Allen Hamilton, a defence contractor in the United States, has blown the cover off the vast snooping empire that the US has built.
The Guardian and The Washington Post have published only a small fraction of the explosive material that Snowden has shared with them, with promise of more to come. The hitherto not-so-well-known security agency of the US –- the National Security Agency (NSA) — has now emerged as the lynchpin in the mind-blowing 2 petabytes (1 petabyte is equal to a million gigabytes) of data that the US collects every hour –- emails, text messages, voice conversations, videos, etc.
Image Courtesy:
The NSA is building a new 2 billion dollar facility in Utah, which, when ready, will have a capacity to store and process data equivalent to one million DVDs for every man, women and child on earth! Every digital footfall, every bit of digital information, could be a part of NSA’s database. Welcome to George Orwell’s dystopia Nineteen Eighty-Four, even if 1984 has come a tad late.
Image Courtesy:
The NSA processes this enormous stored data with a variety of data mining tools and programs. This, in today’s technical lingo, is called Big Data. The Guardian published a report on one of such program –- Boundless Informant -– that showed that 97 billion pieces of intelligence were collected from around the globe in the month of March, 2013 alone. Snowden’s exposure of another of these programs –- called PRISM – shows that the US has not only tapped into the global telecom networks but also gained access to the data of 9 global Internet giants — Google, Microsoft, Yahoo!, Apple, Facebook, and 4 others.
Subsequently, The Guardian has revealed that the NSA and the UK’s Government Communications Headquarters (GCHQ) –- the British equivalent of the NSA – jointly spied on the G20 summit held in London in 2009. The snooping used a variety of methods, from tapping satellite signals to specially prepared Internet cafés for the delegations, and targeted not only Russia, but even Turkey, a NATO partner. This G20 meeting was largely focussed on economic matters, and the spying of the delegations was to give the US and UK delegations a negotiating advantage by knowing — in real time –- the positions of other delegations. Manmohan Singh as India’s PM attended this G20 meeting.
What has created particular concern in the US is that under the secretive Foreign Intelligence Surveillance Act (FISA) court orders, all the US telecom companies have given the NSA all the transaction records of their millions of subscribers. Transactional data -– or what is called metadata — are not the actual phone conversations but records of who talked to whom, from where and for how long. As experts have pointed out, this is almost as revealing as the actual conversation itself. Just one such FISA order served on Verizon (published by The Guardian) shows the omnibus nature of such orders –- Furnish all records of all your subscribers.

The outrage in the US has largely focussed on its citizens being subjected to NSA surveillance. That the US is hacking into all the communications of the rest of the world has barely entered this discourse. And this is what should concern us -– the other 95% of the world who are not US citizens.
The US and its Anglo Saxon allies –- the UK, Canada, Australia, New Zealand -– had set up a program called Echelon after the Second World War for spying on the global telecommunications network. Echelon was investigated by the EU which issued a report in 2001 on its activities, particularly that of Echelon passing sensitive commercial information to help the US and UK firms against their EU competitors. Echelon received a fillip with the setting up of the NSA in 1952. While retiring agents of the CIA start penning their memoirs even before they have quit, the NSA has managed to keep itself out of the lime light till now. Though the three earlier NSA whistle blowers –- Thomas Drake, William Binney and J. Kirk Wiebe -– have been saying for years that NSA collects huge swathes of data of US and non-US citizens, it is the kind of details and documents that Snowden has provided that has finally caught the world’s attention.
Image Courtesy:
What the Echelon program did earlier, NSA has now widened enormously. It is not just telecom cables being tapped and satellite communications being monitored. Two out of the five Snowden slides which have been published by The Guardian illustrate the nature of this surveillance. First is the global fibre optic network. As the US is the world’s biggest fibre optic network hub, a huge part of global traffic passes through the US. It can then be tapped easily as all the US carriers have obviously provided the US government direct access to their networks. For example, we know that AT&T, in its Folsom Street Office in San Francisco, had allowed NSA to install splitters that duplicate the data streams coming into AT&T switches from its global network, and divert one stream to a room housing NSA equipment. This data is then sent to NSA servers for storage and analysis. The Electronic Frontier Foundation (EFF) has questioned the validity of this program and has been fighting this case for the last 4 years with little result. In an affidavit submitted by the EFF, Mark Klein, a retired AT&T communications technician, stated that such splitting equipment was installed in other AT&T offices as well.
Image Courtesy:
The Snowden slides also show another way that the global fibre optic network has been tapped. The US is tapping into major trunk routes of the Internet in international waters; one of Snowden’s slides shows that there are three such taps — a tap off the coast of South America, one north of Africa and another in the Indian Ocean.
The last and the most discussed method of surveillance used by the NSA is tapping into the servers of global Internet companies. All the Silicon Valley giants mentioned in Snowden’s slide, speaking in almost identical language, have tried to say that they are not providing the NSA direct access to their servers, while at the same time admitting that they are duty bound under US laws to provide the NSA any data it wants. What is clear is that they are providing some form of automated data delivery to the NSA that comply with the scope of requests and format of data desired by the NSA. They are also probably allowing the tapping of the telecom cables before entering their servers, similar to what AT&T has allowed in the Folsom Street case.
Image Courtesy:
We have already seen that the scope of any one request -– as shown in the FISA order on Verizon –- can be millions of records. While the domestic clients of the US have some protection, though weak in the US law, the rest of the world has none. So the claim of the Internet companies that they only service legal requests of the US agencies provide rather cold comfort to the rest of the world.
US laws protect its citizens under the 4th Amendment which prohibit illegal search and seizures. While the US agencies have other instruments to access their citizens’ data, the two preferred instruments are the National Security Letters (NSL) and Foreign Intelligence Surveillance Act (FISA) orders. These enable secrecy and lower evidentiary standards compared to other instruments (such as subpoena and warrants). The NSL mechanism has existed since 1978 but was rarely used, in part due to its extremely limited scope. This was expanded enormously after 9/11 — with the enactment of the draconian Patriot Act in 2001, as well as the FISA Amendment Act in 2008.
Issuing an NSL requires no judicial oversight and can be done by any US federal agency – FBI, Homeland Security, CIA, or NSA. All that it requires is that an officer of a certain rank issues the order. All information regarding such a Letter is under a gag order – the organisation or person served with the Letter cannot disclose that he or she has received such an order, or, indeed, the content of the order.
The FISA Court, which is supposed to review all actions or requests for surveillance of the executive, virtually rubber stamps all the requests it receives. Only 11 out of a total of 33,900 such surveillance requests have been denied by the FISA courts since 1980. All the proceedings of the FISA Court are secret, including its orders. The only FISA order which is available to the public is the one Snowden has now disclosed regarding the Verizon’s telephone records.
FISA was enacted in 1970 after wide-spread abuse of existing surveillance powers by the US administration targeting critics of the Vietnam War, civil liberties movements, etc. The primary purpose of FISA was to protect the US citizens from such abuse. After 9/11, the minimal checks and balances contained in the Act have been considerably weakened with various amendments to FISA.

The general acquisition and interception power, as well as the business records power under FISA, allow U.S. government agencies to compel access; possibly in real-time, and definitely of stored data, of persons reasonably believed to be located outside the United States. These powers are subject to minimisation requirements; the primary objective of these requirements is to minimize the targeting, collection and retention of private information of only U.S. citizens. The rest of the world is fair game and currently possesses virtually no protection under the US domestic law.
After the public outcry about the massive spying being carried out by the NSA, the US President and other officials have made candid statements. Obama is now on record that the NSA has been reading content only of “foreigners” and not of US citizens, and therefore does not violate US laws. The US Congress is holding hearing on the NSA leaks, but the title of its hearing is revealing: “How Disclosed NSA Programs Protect Americans, and Why Disclosure Aids Our Adversaries”, making clear what its conclusions are going to be.
India is one of the prominent targets of US intelligence gathering. As shown by the Boundless Informant “heat” map published by The Guardian, it occupies the fifth place among countries under surveillance with 6.3 billion pieces of data, and ahead of China and Russia. The reason for this penetration is quite simple. Not only do Google, Yahoo!, and Microsoft (Hotmail) have a large number of Indian users; even government agencies and officials routinely use these web-based services for their communications. In February, 2013, after the Hyderabad bomb blast, India’s National Intelligence Agency (NIA) announced a reward of 10 lakhs for information; the email address for receiving such communications was a Gmail address. NIA is either unaware that Gmail is fully accessible to the US intelligence agencies, or it believes it has nothing to hide from the US. Even the PMO and the Attorney General use such webmail services, as reported in Bloomberg Businessweek, (July 18, 2011 So do many other ministries, and even the Indian Air Force. This recipe for disaster — as pointed out in Bloomberg’s 2011 report – is now confirmed by the Boundless Informant data.

The same ignorance or callousness is being displayed with regard to UID/Adhaar data. The UID Authority has selected 3 US companies – one for supporting and two for creating the data repository – without taking into consideration that these US companies are duty bound to furnish their data if asked for by the US government (“Questions for Mr. Nilekani” by SG Vombatkere, The Hindu, February 6, 2013).

The other issue is the complete lack of data security pertaining to information on government websites, networks and computers. India has less than a 1,000 people manning its cyber security infrastructure. Worse, it is increasingly relying on the US companies in the name of partnership with the private sector as shown in the Joint Working Group for Cyber Security formed last year. FICCI and NASSCOM, the two agencies who are partnering Indian government’s cyber security exercises, have AT&T, Microsoft, Google, Facebook, Yahoo! as key members, who are now known to be partnering the US intelligence agencies. Similarly, the “Indian” team that Ministry of Communications & IT had constituted for the World Conference on Telecommunications in Dubai in 2012, had representatives from the same companies. One can understand why the US government partners the US companies; but why should the Indian government opt for the same partners?
The EU’s justice commissioner, Viviane Reding, has written to the US attorney general asking for details of the PRISM program. India has stated that it considers hacking of Indian data “unacceptable”. Obviously, if all countries – except the US and the UK — are affected by the US snooping, all of them have to come together for a new global architecture that prevents such wholesale hacking of their networks and data.
This demands a re-look at the basic infrastructure of the Internet and how it is being governed. Today, ICANN, the key Internet body, functions under a license from the US Department of Commerce. India, with certain other countries, had earlier called for a multilateral UN body to govern the Internet. The US has opposed all such moves tooth and nail.
Attempts have also been made to bring certain aspects of the Internet – notably cyber security — under the International Telecom Union (ITU). Last year, the ITU placed some of these issues on the agenda of the International Telecommunications Conference (WCIT 2012) in Dubai, and the consequence was a veritable barrage of vilification launched against the ITU and its Director General. Civil society organisations were told that this was a ploy by authoritarian regimes such as China, Iran, Saudi Arabia to suborn the freedoms on the Internet. A lobbying group was formed by leading US companies, including AT&T, Verizon, Microsoft, Google and Facebook, and this group led the global charge against the ITU. Proposals from countries such as Saudi Arabia and Russia were withdrawn because such proposals could have affected the freedom of the Internet; but still the US and its allies walked out from WCIT, effectively preventing the emergence of any consensus. It is now clear that the issue before WCIT was not one of authoritarian regimes destroying the freedom of the Internet; but that no limit should be placed on the US intelligence agencies’ “right” to hack the global Internet infrastructure.
The Internet is not only the global backbone of communications, it is also the repository of global knowledge. It is the key to our tomorrow. If we want to realise the true potential that the Internet can unlock, we need to step in right now. We need people across the globe to fight for an Internet which brings about a new world. Not an Orwellian World of Big Brother (or Brothers) watching all of us, but a world that fulfils the emancipatory vision of the Internet — bringing the world’s knowledge to our screens. This is the challenge before us.
This article appeared in the Frontline Print edition dated July 12, 2013, It is available at
Prabir Purkayastha is the Chairperson of Knowledge Commons, a body involved with Internet and Free Software issues. He is also the Vice President of Free Software Movement of India. Rishab Bailey is a lawyer and works with Knowledge Commons.